EU Privacy Policy

I. OBJECTIVE

The aim of this EU Privacy Policy (“the Policy”) is to provide adequate and consistent safeguards for the handling of Personal Data (as defined below) by all “FleishmanHillard entities” (as defined below) in accordance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) and all the relevant transposing legislation of the Directive in the European Union/European Economic Area (“EU/EEA”), the Swiss Federal Data Protection Act, as such laws may from time to time be amended and valid during the application of this Policy, and any other privacy laws, regulations and principles concerning the collection, storage, use, transfer and other processing of Personal Data transferred from the European Economic Area (“EEA”) or Switzerland to the United States including but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“the General Data Protection Regulation”) as of its entry into force on 24 May 2018.

II. SCOPE

This Policy applies to all FleishmanHillard entities in the EU that process Personal Data.

“Consumer” “Consumer” means any natural person who is located in the EU, but excludes any individual acting in his or her capacity as an Employee.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of Personal Data as referred to in applicable data privacy laws.

“Employee” means any current, former or prospective employee, temporary worker, intern or other non-permanent employee of FleishmanHillard or any current or prospective subsidiary or affiliate of FleishmanHillard.

“FleishmanHillard entities (“FleishmanHillard”)” means Fleishman-Hillard Inc. and all affiliates or other entities owned or controlled by FleishmanHillard in the EEA, irrespective of their different denominations that such entities may hold in different jurisdictions in the EEA.

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity and includes information, that (i) relates to an identified or identifiable Customer, Employee or Supplier’s representative; (ii) can be linked to that Customer, Employee or Supplier’s representative; (iii) is transferred to FleishmanHillard in the U.S. from the EEA or Switzerland, and (iv) is recorded in any form.

“Sensitive Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or concerning health or sex, and the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

“Supplier” means any supplier, vendor or other third party located in the USA and/or the EEA or Switzerland that provides services or products to FleishmanHillard. For the purposes of this Policy Suppliers shall be included within the definition of “Consumers” above.

“Systems Privacy Point of Contact” means individual officers designated by FleishmanHillard as the initial points of contact for inquiries, complaints, or questions regarding privacy matters. Currently, such officers are identified at the end of this Policy.

“Processing” is defined as any action that is performed on Personal Data, whether in whole or in part by automated means, such as collecting, modifying, using, disclosing, or deleting such data.

This Policy does not cover data rendered anonymous or where pseudonyms are used. Data is rendered anonymous if individuals are no longer identifiable or are identifiable only with a disproportionately large expense in time, cost or labor. The use of pseudonyms involves the replacement of names or other identifiers with substitutes, so that identification of individual persons is either impossible or at least rendered considerably more difficult. If data rendered anonymous become no longer anonymous (i.e. individuals are again identifiable), or if pseudonyms are used and the pseudonyms allow identification of individual persons, then this Policy shall apply again.

III. APPLICATION OF LOCAL LAWS

This Policy is designed to provide compliance with all relevant applicable laws in the EEA and in particular those transposing the Directive. FleishmanHillard recognizes that certain laws might be modified to require stricter standards than those described in this Policy, in which case the stricter standards shall apply. FleishmanHillard will handle Personal Data in accordance with local law at the place where the Personal Data is processed. If applicable law provides for a lower level of protection of Personal Data than that established by this Policy, then this Policy shall prevail. Any questions about applicable legislation and FleishmanHillard’s compliance with it shall be addressed to FleishmanHillard’s local legal department or to the legal department in the US.

IV. PRINCIPLES FOR PROCESSING PERSONAL DATA

FleishmanHillard respects Employee, Consumer (including personnel of customers, suppliers, stakeholders, and third parties) privacy and is committed to protecting Personal Data in compliance with the applicable legislation in the EEA. This compliance is consistent with FleishmanHillard’s desire to keep its Employees and Consumers informed and to recognize and respect their privacy rights. FleishmanHillard will observe the following principles when processing Personal Data:

Data will be processed fairly and in accordance with applicable law.

Data will be collected for specified, legitimate purposes and not processed further in ways incompatible with those purposes.

Data will be relevant to and not excessive for the purposes for which they are collected and used. For example data may be rendered anonymous if deemed reasonable, feasible and appropriate, depending on the nature of the data and the risks associated with the intended uses.

Data subjects in the EU will be asked to provide their clear and unequivocal consent for the collection, processing and transfer of their Personal Data.

Data will be accurate and, where necessary kept up up-to-date. Reasonable steps will be taken to rectify or delete Personal Data that is inaccurate or incomplete.

Data will be kept only as it is necessary for the purposes for which it was collected and processed. Those purposes shall be described in this Policy.

Data will be deleted or amended following a relevant request by the concerned data subject, should such notice comply with the applicable legislation each time.

Data will be processed in accordance with the individual’s legal rights (as described in this Policy or as provided by law).

Appropriate technical, physical and organizational measures will be taken to prevent unauthorized access, unlawful processing and unauthorized or accidental loss, destruction or damage to data. In case of any such violation with respect to Personal Data, FleishmanHillard will take appropriate steps to end the violation and determine liabilities in accordance with applicable law and will cooperate with the competent authorities.

V. TYPES OF DATA PROCESSED

As permitted by local laws, the Personal Data relating to Employees may include the following:

Contact information, such as name, postal address, email address and telephone number; and

Personal Data in content Consumers provide on FleishmanHillard’s website and other data collected automatically through the website (such as IP addresses, browser characteristics, device characteristics, operating system, language preferences, referring URLs, information on actions taken on our website, and dates and times of website visits).

Financial account information.

FleishmanHillard also may obtain and use Consumer Personal Data in other ways for which FleishmanHillard provides specific notice at the time of collection (including but not limited to e.g. surveys, focus groups, market research, inbound and outbound Consumer communications and education, etc.).

VI. WAYS OF OBTAINING PERSONAL DATA

The ways by which FleishmanHillard obtains Personal Data are defined hereby. FleishmanHillard does not obtain any personal information about Employees or Consumers unless the Employee or Consumer has provided that information to FleishmanHillard in a way providing for its clear and unequivocal consent to do so including but not limited to visiting FleishmanHillard’s website, by completion of a written employment application, employee benefits application, insurance form, consent form, survey, or completion of an on-line or hard copy form. Employees and Consumers may choose to submit personal, private information by facsimile, regular mail, e-mail, or electronic transmission over our internal web site, interoffice mail, or personal delivery, as each of these methods may be deemed applicable each time.

VII. PURPOSES FOR PERSONAL DATA PROCESSING

FleishmanHillard processes personal data for legitimate purposes related to human resources, business and safety /security. The limitation of purposes shall be taken into consideration before any type of processing of Personal Data and shall not be subject to any changes without prior notification. These principal purposes for Employee Personal Data include:

Human resources purposes including but not limited to recruiting and hiring job applicants, and:

Managing information technology and communications systems, such as the corporate email system and company directory;

Conducting ethics and disciplinary investigations;

Administering Employee grievances and claims;

Managing audit and compliance matters;

Complying with applicable legal obligations, including government reporting and specific local law requirements; and

Other general human resources purposes.

FleishmanHillard may also obtain and process Personal Data about Employees’ emergency contacts and other individuals (such as spouse, family members, dependents and beneficiaries) to the extent Employees provide such information to FleishmanHillard. FleishmanHillard processes this information to comply with its legal obligations and for benefits administration and other internal administrative purposes.

For Consumer specific Personal Data, the purposes of processing may include:

Running day-to-day business relationship

Marketing activities

Management of financial accounts

Business Development Activities

Conduct of transactions or facilitation of offering of the FleishmanHillard Services

For Client and Supplier specific information, the purposes of processing may include:

Management of its relationships with its Clients and Suppliers

Processing payments, expenses and reimbursements

Carrying out FleishmanHillard’s obligations under such contracts

If FleishmanHillard introduces a new process or application that will result in the processing of Personal Data for purposes that go beyond the purposes described above, FleishmanHillard will inform the concerned data subjects of such new process or application, new purpose for which the Personal Data are to be used, and the categories of recipients of the Personal Data.

To safeguard against unauthorized access to Personal Data by third parties outside FleishmanHillard, all electronic Personal Data held by FleishmanHillard are maintained on Systems that are protected by up-to-date secure network architectures that contain firewalls and intrusion detection devices. The data saved in servers is “backed up” (i.e. the data are recorded on separate media) to avoid the consequences of any inadvertent erasure, destruction or loss otherwise. The servers are stored in facilities with high security, access protected to unauthorized personnel, fire detection and response systems.

The location of these servers is known to a limited number of FleishmanHillard’s Employees.

Access security

The importance of security for all personally identifiable information associated with FleishmanHillard’s Employees is of highest concern. FleishmanHillard is committed to safeguarding the integrity of personal information and preventing unauthorized access to information maintained in FleishmanHillard’s databases. These measures are designed and intended to prevent corruption of data, block unknown and unauthorized access to our computerized system and information, and to provide reasonable protection of Personal Data in FleishmanHillard’s possession. All employee files are confidentially maintained in the HR department in secured and locked file cabinets or rooms. Access to the computerized database is controlled by a log-in sequence and requires users to identify themselves and provide a password before access is granted. Users are limited to data required to perform their job function. Security features of our software and developed processes are used to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.

Training

FleishmanHillard will be responsible for conducting adequate training sessions regarding the lawful, enumerated intended purposes of processing Personal Data, the need to protect and keep information accurate and up-to-date, the lawful purposes of collecting, handling and processing data that is transferred from the EU to the US and the need to maintain the confidentiality of the data to which employees have access. Authorized users will comply with this Policy and FleishmanHillard will take appropriate actions in accordance with applicable law, if Personal Data are accessed, processed, or used in any way that is inconsistent with the requirements of this Policy.

IX. RIGHTS OF DATA SUBJECTS

Any person has the right to be provided with information as to the nature of the Personal Data stored or processed about him or her by FleishmanHillard and may request deletion or amendments.

All Employees and Consumers have access to their own personal information and may correct or amend it as needed. Employees may view their own personnel record upon request by contacting the local Talent Development contact or by accessing certain information in the company’s internet and/or extranet. Consumers may contact the Privacy POC or Privacy@fleishman.com to review, update, and revise their Personal Data.

If access is denied, the Employee and Consumer has the right to be informed about the reasons for denial. The person affected may resort to the dispute resolution described in Section XIII as well as in any competent regulatory body or authority. FleishmanHillard shall handle in a transparent and timely manner any type of internal dispute resolution procedure about Personal Data is conducted.

If any information is inaccurate or incomplete, the person may request that the data be amended. It is every person’s responsibility to provide Talent Development in the case of Employees, or the Systems Privacy POC in the case of Consumers with accurate Personal Data about him or her and to inform such contacts of any changes. (e.g. new home address or change of name).

If the person demonstrates that the purpose for which the data is being processed in no longer legal or appropriate, the data will be deleted, unless the applicable law requires otherwise.

X. TRANSFERS

In connection with the activities described under Section VII, FleishmanHillard may transmit Personal Data outside the EU and more specifically to: (i) FleishmanHillard’s headquarters in St. Louis, Missouri, USA; (ii) FleishmanHillard’s different offices in the US; (iii) FleishmanHillard affiliated entities in the US. Moreover, Personal Data might be sent to the following third parties in or outside the EEA:

Selected Third Parties: FleishmanHillard will not disclose or share any personal information with any external entity or third party, except to an employee’s designated insurance provider, employee benefits administrator, travel professionals, clients to illustrate experience and qualifications for business purposes or promotion and not beyond that, to third party vendors and/or marketers upon Consumer’s explicit consent or as an employee or consumer may designate.

Other Third Parties: FleishmanHillard may be required to disclose certain Personal Data to other third parties: (i) As a matter of law (e.g. to tax and social security authorities); (ii) to protect FleishmanHillard’s legal rights; (iii) in an emergency where the health or security of an employee is endangered (e.g. a fire); (iv) to Law Enforcement Authorities in accordance with the relevant legislation in the different EEA Member States including but not limited to legislation transposing the EU/2016/1148 concerning measures for a high common level of security of network and information systems across the Union (“the Network Information Security Directive”).

XI. AUTOMATED DECISIONS

Automated decisions are defined as decisions about individuals that are based solely on the automated processing of data and that produce legal effects that significantly affect the individuals involved.

FleishmanHillard does not make automated decisions for Employee or Consumer data. If automated decisions are made, affected persons will be given an opportunity to express their views on the automated decision in question and object to it.

XII. ENFORCEMENT RIGHTS AND MECHANISMS

FleishmanHillard will ensure that this Policy is observed and duly implemented. All persons who have access to Personal Data must comply with this Policy. Violations of the applicable data protection legislation in the EEA may lead to penalties and/or claims for damages.

If at any time, a person believes that Personal Data relating to him or her has been processed in violation of this Policy, he or she may report the concern to the competent FleishmanHillard’s official. In particular If you have any inquires or complaints about the use or limitation of use of your personal information, you may contact your local human resource (“HR”) contact or the HR department at corporate headquarters:

FleishmanHillard is using JAMS (Judicial Arbitration and Mediation Services) as the Alternative Dispute Resolution Provider for Consumer specific data since September 23, 2016. Consumers may file a complaint concerning FleishmanHillard’s processing of their Personal Data. FleishmanHillard will take steps to remedy issues arising out of its alleged failure to comply with applicable data privacy laws. Consumers may contact FleishmanHillard as specified above about complaints regarding the company’s Consumer Personal Data practices.

If a Consumer’s complaint cannot be resolved through FleishmanHillard’s internal processes, FleishmanHillard will cooperate with the alternative dispute resolution provider, JAMS, pursuant to the JAMS International Mediation Rules, available on the JAMS website at:

JAMS mediation may be commenced as provided for in the relevant JAMS rules.

Employees

For Employee Personal Data, FleishmanHillard is committed to cooperate with the different national EU Data Protection Authorities (“DPAs”) and comply with the dispute resolution procedures such DPAs may indicate in cases of complaints by Employees as well as with any regulations or guidelines such DPAs may issue from time to time in in accordance with EU and Member State data protection legislation. FleishmanHillard undertakes to register and/or keep its registration updated as a data controller and/or processor in all jurisdictions where FleishmanHillard maintains entities in the EU.

XIV. COMMUNICATION ABOUT THE POLICY

In addition to the training on this Policy, FleishmanHillard will communicate this Policy to current and new employees and consumers by posting it on the company’s EU offices’ websites as well as on selected internal FleishmanHillard websites and by providing a link to the Policy on information technology applications where Personal Data are collected and processed.

MODIFICATIONS OF THE POLICY

FleishmanHillard reserves the right to modify this Policy as needed, for example, to comply with changes in laws, regulations or requirements introduced by DPAs. Changes must be approved by FleishmanHillard’s Privacy POCs, the office of the corporate legal department, or their designees who will seek input as they reasonably deem appropriate from corporate executives such as the CEO, CFO, COO, and Chief of Staff, for the amended Policy to enter into force. If FleishmanHillard makes changes to the Policy, this amended Policy will be submitted for renewed approval according to the relevant applicable provisions of the law. FleishmanHillard will inform FleishmanHillard Employees, Consumers and other persons (e.g. persons accessing FleishmanHillard websites to enter Personal Data such as job application information) of any material changes in the Policy. FleishmanHillard will post all changes to the Policy on relevant internal and external websites.

Effective with the implementation of this Policy, all existing and applicable EU company privacy guidelines relating to the collection and/or processing of Personal Data will, where in conflict, be superseded by the terms of this Policy. No other internal policy that conflicts with this Policy shall be applicable with respect to the protection of Personal Data handled by FleishmanHillard in the EU. All parties to such agreements will be notified of the effective date of the implementation of the Policy.

XVI. OBLIGATIONS TOWARDS DATA PROTECTION AUTHORITIES

FleishmanHillard will respond diligently and appropriately to requests from DPAs about this Policy or compliance with applicable data protection privacy laws and regulations. FleishmanHillard’s employees who receive such requests should contact their human resources manager or business legal counsel. FleishmanHillard will, upon request, provide DPAs with names and contact details of relevant persons. With regard to transfers of Personal Data between FleishmanHillard entities, the importing and exporting FleishmanHillard entities will (i) cooperate with inquiries from the DPA responsible for the entity exporting the data and (ii) respect its decisions, consistent with applicable law and due process rights. With regard to transfers of data to third entities, FleishmanHillard will comply with DPAs’ decisions relating to it and cooperate with all DPAs in accordance with applicable legislation.